1. DSR Cloud Installation Guide
  2. Postinstallation Activities
  3. Configure Port Security (KVM/OpenStack Only)

6.4 Configure Port Security (KVM/OpenStack Only)

This procedure configures port security on TSA.
Prerequisites:
  • Perform "Enable the Neutron port security extension".
  • We require this extension to disable the Neutron anti-spoofing filter rules for a given port.
  • Refer to Disable Port Security where this is discussed.
  1. IPFE with TSA only. Remove allowable address pair security on IPFE XSI network and DAMP XSI interfaces on IPFE and MP instances.
    If stacks are deployed using HEAT template, follow this step.
    1. Determine the TSA IP address used in Configure IP Front End.
    2. Determine the corresponding XSI interface IP address assigned to that TSA used in Configure IP Front End.
    3. Determine the XSI IP address of IPFE used in Configure IP Front End.
    4. Log in to the OpenStack control node as the admusr user.
    5. Source the tenant user credentials.
    6. Determine the port ID of the XSI interface IP address.
      $ neutron port-list -F id -F fixed_ips | grep <XSI network>

      Note:

      <port ID> is the value in first column of the output to this command.
    7. Remove allowed_address_pairs:
      $ neutron port-update <Port ID> --no-allowed-address-pairs

      Note:

      Run neutron port-show command to verify allowed_address_pairs attribute is empty.
  2. IPFE with TSA only. Remove port security on TSA XSI network interfaces on IPFE and MP instances.
    If using IPFE with Target Set Addresses (TSA).
    1. Determine the TSA IP address as used in Configure IP Front End section.
    2. Determine the corresponding XSI interface IP address as used in Configure IP Front End section.
    3. Log in to the OpenStack control node as the admusr user.
    4. Source the tenant user credentials.
    5. Determine security groups associated with the IPFE instance.
      $ nova list-secgroup <VM instance ID>

      Note:

      <VM instance ID> can be queried from the output of nova list command in the ID column for the given VM.
    6. Save the ID and names of the listed security groups for later use.
    7. Remove all listed security groups.
      $ nova remove-secgroup <VM instance ID> <Security group ID>

      Note:

      Use the <VM instance ID> and <Security group ID> as noted down in the step-f above.
      Alternatively, use the following syntax:
      $ nova remove-secgroup <VM instance name> <Security group name>
    8. Determine the port ID of the XSI interface IP address from step b above.
      $ neutron port-list -F id -F fixed_ips | grep <instance IP on TSA/XSI network>

      Note:

      <port ID> is the value in first column of the output to this command.
    9. Disable port security for the port found in step g.
      $ neutron port-update <Port ID> --port-security-enabled=false
    10. Re-enable port security for all the interfaces not on the TSA/XSI port used in step i, including XMI, IMI, and others.
    11. Determine the port IDs of the instance IP addresses not associated with the TSA/XSI network.
      $ neutron port-list -F id -F fixed_ips | grep <instance IP not on TSA/XSI network>
    12. For each of the non TSA/XSI instance ports perform the following command for each of the security groups from step f.
      $ neutron port-update <Port ID> --security-group <Security group ID>

      Note:

      Use the <Security Group ID> as noted down in the step f above.